In a concerning development in cyber warfare, the Iran-aligned threat actor known as TA450, also recognized by aliases such as MuddyWater, Mango Sandstorm, and Static Kitten, has been reported to employ a new strategy in its phishing campaigns.
Proofpoint researchers have identified a shift in the group’s tactics, which now involve embedding malicious links within PDF attachments sent to employees of global manufacturing, technology, and information security companies, with a particular focus on Israeli targets.
The Evolution of TA450’s Methods
Historically, TA450 has been known for its direct approach of including malicious links within the body of phishing emails.
However, in a campaign that began on March 7, 2024, and persisted through the week of March 11, the group has added an extra layer to its attack chain by using PDF attachments as a vector for delivering these harmful links.
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
- Real-time Detection
- Interactive Malware Analysis
- Easy to Learn by New Security Team members
- Get detailed reports with maximum data
- Set Up Virtual Machine in Linux & all Windows OS Versions
- Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
This marks the first time Proofpoint researchers have observed such a technique from TA450, indicating a significant pivot in the group’s modus operandi.
The Social Engineering Lure
The recent phishing attempts have utilized a pay-related social engineering lure, a tactic designed to exploit human psychology by promising financial incentives.
This method has proven effective in targeting Israeli employees, a demographic that TA450 has been actively pursuing since at least October 2023, following the onset of the Israel-Hamas conflict.
The campaign’s success is partly due to the use of sender email accounts that match the lure’s content, adding a layer of authenticity to the phishing emails.
The shift in TA450’s tactics is particularly alarming given the group’s alignment with Iran’s Ministry of Intelligence and Security, as attributed by the United States Cyber Command in January 2022.
The use of PDF attachments to conceal malicious URLs represents an escalation in the sophistication of TA450’s attacks, posing a heightened risk to organizations and their employees.
The Campaign’s Impact
The campaign’s impact is not to be underestimated. By sending multiple phishing emails with PDF attachments to the same targets, TA450 increases the likelihood of successful infiltration.
Once an unsuspecting employee clicks on the embedded link, they are led to a ZIP archive via Onehub, which then results in the download of remote administration software.
This software grants TA450 access to the victim’s system, allowing for potential data theft, espionage, or further malicious activities.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
Indicators of Compromise (IOCs)
| Indicator | Type |
| salary |
Example of compromised email sender |
| תלושי השכר (Machine translation: Pay slip) | Email subject |
| תלוש שכר לחודש 02/2024 (Machine translation: Pay slip for the month 02/2024) | Email subject |
| סיסמה לתלוש שכר (Machine translation: Pay slip password) | Email subject |
| תלוש השכר .pdf (Machine translation: Pay slip) | Document title |
| dee6494e69c6e7289cf3f332e2867662958fa82f819615597e88c16c967a25a9 | SHA256 (PDF) |
| hxxp://ws.onehub[.]com/files/[alphanumericidentifier] | Example malicious URL |
| hxxps://salary.egnyte[.]com/[alphanumericidentifier] | Example malicious URL |
| hxxps://ln5.sync[.]com/[alphanumericidentifier] | Example malicious URL |
| hxxps://terabox[.]com/s/[alphanumericidentifier] | Example malicious URL |
| cc4cc20b558096855c5d492f7a79b160a809355798be2b824525c98964450492 | SHA256 (salary.zip) |
| e89f48a7351c01cbf2f8e31c65a67f76a5ead689bb11e9d4918090a165d4425f | SHA256 (salary.msi) |